The Russian spy agency behind the SolarWinds cyberespionage campaign has launched a new blitz targeting government agencies and civil society groups, commandeering an email marketing account used by the State Department’s international aid agency, Microsoft said late Thursday.
The hackers compromised an email marketing account used by the U.S. Agency for International Development (USAID) to target 3,000 individuals tied to international development, humanitarian work, government organizations and human rights groups, Microsoft vice president Tom Burt wrote in a blog post.
Many of the emails were blocked by automated software, the company said.
The hackers are linked to the Russian Foreign Intelligence Service, or SVR, which carried out the SolarWinds intrusions that compromised at least nine federal agencies and 100 companies in the United States, said analysts tracking the ongoing campaign.
The hackers seem to have leveraged an email service used by USAID to go after their ultimate targets — civil society groups and government agencies in the United States and Europe, said John Hultquist, vice president of intelligence analysis for the cyber firm FireEye.
Having gained control of USAID’s account at the email service, the hackers blasted out emails purporting to be from USAID that were actually “phishing” attempts to entice the recipients to click on malware-laced links that would give the hackers the ability to steal victims’ data and sneak onto connected computers, according to Microsoft and FireEye.
The email service is provided by a Waltham, Mass., firm called Constant Contact.
“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts,” spokesperson Kristen Andrews said. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”
Microsoft first detected the email phishing campaign in January, and watched it evolve over a “series of waves” of experimentation, the firm said in another blog post. On Tuesday, the campaign escalated when the hackers leveraged the Constant Contact account, Microsoft said.
“This is a reminder that cyberespionage is here to stay,” Hultquist said. “This is louder than SolarWinds — it’s easier to detect — but they are still going after classic espionage targets which have always been their prey of choice.”
While some of the organizations targeted are critics of the Kremlin, more broadly they are groups that provide insight into Russia foreign policy, or deal with European elections or are European government organizations themselves, Hultquist said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in a statement Friday said, “We are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries, Burt said. At least a quarter of the targeted organizations were involved in international development, and humanitarian and human rights work.
“It is anticipated that additional activity may be carried out by the group using an evolving set of tactics,” said a blog post from Microsoft.
“These attacks appear to be a continuation of multiple efforts’’ by the SVR “to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt said.
The SVR hackers’ tactics were at times ham-handed.
In one case, their phishing emails used the lure of documents purporting to be from USAID with information on foreign threats to the 2020 U.S. federal elections, according to the D.C.-based cybersecurity firm Volexity. They used the agency’s distinctive blue and red logo and included the subject line: “USAID Special Alert,” Volexity said in a blog post Thursday.
The alert stated: “Donald Trump has published new documents on election fraud.” It contained an infected link to the supposed documents.
A number of Volexity’s customers contacted the firm on Tuesday to flag the email as suspicious, Volexity President Steven Adair said. Though the emails appeared to be from a “legitimate dot-gov address,” he said, “it’s not what you’d expect to see coming from USAID.”
The “vast majority” of the phishing emails fell flat, he said. Some were blocked as spam. Others were reported as suspicious. But at least one recipient at a U.S.-based organization fell for it and clicked on the link, releasing malware. “But fortunately,” Adair said, “they were detected and stopped early on.”
Aaron Schaffer contributed to this report.